CertiFlowTrust Center · LIVE
Trust Center

CertiFlow

Direct Consulting Solutions SA · Switzerland

Real-time view of CertiFlow’s compliance posture. Evidence is held in a tamper-evident vault — SHA-256 hash-chained and hourly Merkle-anchored to AWS S3 Object Lock in compliance mode.

Page generated 2026-06-17. Regenerated every 24 hours.

CertiFlow’s own evidence is held under Zero-Knowledge Encryption.
CertiFlow stores ciphertext only. If the platform is subpoenaed or breached, attackers receive mathematical static. Only CertiFlow holds the keys to CertiFlow’s evidence. The same model applies to every customer. Detailed cryptographic architecture in the Security page.

Active frameworks

SOC 2 Type II
AICPA TSC 2017 (rev 2022)
ISO/IEC 27001:2022
2022
GDPR
Regulation (EU) 2016/679
UK GDPR + DPA 2018
2021
HIPAA Security Rule
45 CFR 164.302-318
PCI DSS v4.0
4.0.1 (June 2024)
NIS2 Directive
Directive (EU) 2022/2555

CertiFlow is itself in active build-out against these frameworks. SOC 2 Type I attestation is the next milestone. The platform powers our own evidence vault.

Security posture — what an attacker can take

ScenarioWhat an attacker obtains
Lawful court order, customer-specificCiphertext + plaintext metadata only
Production database breachCiphertext only at rest
Out-of-band backup vault breachCiphertext only at rest
Compromised CertiFlow insider with rootMetadata only; cannot decrypt evidence

Full threat model and ZKE architecture detail: Security page.

Operational posture

Live status
Operational
View live status →
Audit chain
SHA-256 hash-chained
Hourly Merkle anchor → S3 Object Lock compliance mode

Documents

Need deeper access for an audit?

External auditors can be invited to a read-only Auditor View scoped to the controls in their engagement — every page-view, every comment, every export is recorded in the tamper-evident audit chain. Email trust@certiflow.com with your organisation name and your auditor’s firm name.

CertiFlow — Zero-Knowledge GRC for regulated SMEs